Few general questions, firewall, HIPS, logs

[Octopuss 5]

I am not a complete newcomer when it comes to ESET, but I haven't used it for some time, and definitely didn't explore it in depth when I did.

I downloaded trial version of SS7 to decide whether to buy it or not, and have a few questions regarding functionality of some of the components.

 

1) HIPS:

- Keeping the SS protection active seems like a nobrainer, but I can't seem to be able to create an exception for programs that somehow interfere with it, namely Process Explorer. When I run it, the log is inmmediatelly flooded by insane amount of blocking spam. Is that by design, or is there anything I can do about that?

- Is there any way to customize what gets logged? The log is absolutely spammed by events that were allowed. That's useless information for me. I'd much rather only see what was actually blocked so I could take action.

 

2) Firewall related:

- Again, log customization. I see tons of events telling me that no application is listening on given port. Allright, but I don't need to see that either.

- Rules editor: Is it really not possible to mark several rules just like in the HIPS section (where you can't use Del key for a change) so they can be easily deleted? This is really awkward.

 

3) General log related:

The window itself and the columns' size doesn't save. Is that a bug, or by design, or what? (in fact, the entire program seems to suffer from this)

There's no way to change the sorting in any way.

Copypaste functionality seems to be nonexistant. Yes I can copy an entire line, but I would hardly call that useful. I hoped I could either freely mark something and copy it, or at least to copy individual "cells".

Is this all by design? Can I file a feature request or something somewhere?

 

 

[Marcos 5,070]

Hello,

1, make sure that you have logging of blocked operations disabled in the advanced HIPS setup. This kind of logging serves only for troubleshooting purposes when tackling an issue related to HIPS.

2, make sure that you have logging of blocked communications disabled in the IDS setup. This kind of logging serves only for troubleshooting purposes when tackling an issue with firewall blocking a communication.

3, it's all by design. Maybe the width of columns will be remembered in future version; on the other hand this will require creation of many new registry values.

[Octopuss 5]

1) I am not sure I understand. I like to know what was blocked, because it might explain why something doesn't work. I might want to disable it in future, though.

I am more concerned by seeing what was allowed in the log. That serves no purpose at all, and I can't get rid of it.

 

2) Again, that doesn't answer my question at all. It's not blocked communication that's a problem for me at this point.

(What does IDS mean anyway?)

 

3) I see But why registry? This can be saved in configuration files just as well, and make transferring settings much more compfortable.

[Arakasi 549]

Hello,

The first question i'm not sure i could elaborate any further on keeping blocked operations off for easier reading.

 

2. IDS = Intrusion Detection System

 

3. ESET Products have been known a number of years for being vastly lightweight compared to other vendors products.

Their programming etiquette like utilizing the registry, instead of file dumping is only one... but, one of the reasons nonetheless.

 

Thanks for your posts today ! Hope your questions get answered.

[SweX 871]

Hello hello,

 

IMO for 1. and 2. you should still keep the logging disabled like Marcos says as it is for troubleshooting purposes only. We had another user here not long ago that were also pointing out that the log showed some blocked operations for Process Explorer, and the answer was if process explorer is working correctly as expected then those blocks have no effect on process explorer and it's operations, i.e the blocks seen in the log can be ignored. And advice was given to disable the logging.

 

If for some rare reason a program doesn't work correctly, then it's a good idea to enabled logging of blocked operations and you would probably see blocks just like you do now for process explorer, only that then they shouldn't be ignored since you know there's an issue, but until then it's best to keep logging disabled or else there's a great chance you will see a big log file that's related to ESET that has been created thanks to the continuous logging.

 

HTH, SweX

[Octopuss 5]

Yes, I will in a few days when I am sure everything works fine, but currently my logs are growing like mad because of ALLOWED operations.

But I guess that's nothing I can solve by anything else but hoping I will get the chance to configure it in future version of the program.

[Marcos 5,070]

It'd be good to post a couple of records that are being logged on your computer. I've tried running Process Explorer and HIPS was logging only the following as long as logging of blocked operations was enabled:

 

2/28/2014 12:49:33 AM C:\Documents and Settings\Administrator\Desktop\procexp.exe Get access to file C:\Program Files\ESET\ESET Smart Security\ekrn.exe some access blocked Self-Defense: Protect ESET files Write to file
2/28/2014 12:49:33 AM C:\Documents and Settings\Administrator\Desktop\procexp.exe Get access to file C:\Program Files\ESET\ESET Smart Security\egui.exe some access blocked Self-Defense: Protect ESET files Write to file

[Octopuss 5]

Sigh.

Let me try again.

I am not talking about logging of blocked operations, I am talking about logging of allowed operations.

 

28.2.2014 10:04:55    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath    povolené    Automatický režim    
28.2.2014 10:04:55    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\Start    povolené    Automatický režim    
28.2.2014 10:04:55    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\Start    povolené    Automatický režim    
28.2.2014 10:04:50    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath    povolené    Automatický režim    
28.2.2014 10:04:50    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\Start    povolené    Automatický režim    
28.2.2014 10:04:50    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\Start    povolené    Automatický režim    
28.2.2014 10:04:45    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath    povolené    Automatický režim    
28.2.2014 10:04:45    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\Start    povolené    Automatický režim    
28.2.2014 10:04:45    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\Start    povolené    Automatický režim    
28.2.2014 10:04:39    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath    povolené    Automatický režim    
28.2.2014 10:04:39    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\Start    povolené    Automatický režim    
28.2.2014 10:04:39    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\Start    povolené    Automatický režim    
28.2.2014 10:04:34    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath    povolené    Automatický režim    
28.2.2014 10:04:34    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\Start    povolené    Automatický režim    
28.2.2014 10:04:34    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\Start    povolené    Automatický režim    
28.2.2014 10:04:29    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath    povolené    Automatický režim    
28.2.2014 10:04:29    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\Start    povolené    Automatický režim    
28.2.2014 10:04:29    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\Start    povolené    Automatický režim    
28.2.2014 10:04:23    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath    povolené    Automatický režim    
28.2.2014 10:04:23    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\Start    povolené    Automatický režim    
28.2.2014 10:04:23    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\Start    povolené    Automatický režim    
28.2.2014 10:04:22    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath    povolené    Automatický režim    
28.2.2014 10:04:22    C:\Windows\System32\services.exe    Upravit nastavení při spuštění    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\Start    povolené    Automatický režim  

 

It's in czech, because the web installer knew better which language I wanted (bleh).

Edited February 28, 2014 by Octopuss

[Marcos 5,070]

Probably you enabled "Notify when changes occur in Startup applications" option in the advanced HIPS setup which causes the excessive logging.

[Arakasi 549]

Yeah that option is annoying lol

[Octopuss 5]

Ah, that did it. Good! As a workaround at least. I still hope we will get more customization options in future builds.

 

Firewall log is still flooded with tons of events telling me no applications are listening on given port. Kingdom and half princess for customization!

[Octopuss 5]

Does SS really only support Thunderbird up to version 5? That's how I understand the setting at least. Current version is 24.

Edited March 3, 2014 by Octopuss

[Arakasi 549]

By support , it only means addons or hooks into the client.

Your mail will still get scanned regardless of the software support. Using protocol scanning ie. Pop3 , imap, etc.

[Octopuss 5]

Hm.... I though it would have been nice if spam or other mails could get automatically moved and marked. At least that's how I understood it was supposed to work.